Building a practical DevSecOps pipeline for free presented at DevSecConBoston 2018

by Jeff Williams,

Summary : DevSecOps isn’t just smearing traditional security lipstick on DevOps. Terms like “shift left” and “security as code” are great in concept, but there is very little practical guidance on how to achieve them. In this talk, we’ll break down the core DevSecOps cycle (Analyze, Secure, Verify, Defend) and explore a number of additional practices. Then we’ll build and demonstrate an effective, scalable DevSecOps pipeline using *free* tools. We’ll use interactive testing tools to detect vulnerabilities and deliver them to developers in real time through the tools they are already using. We’ll also set up runtime protection to prevent exploits and and enable application visibility in the SOC. We’ll extend our pipeline to include notification and protection for open source security. Anyone building software can adopt this blueprint and adapt it to the way that they build software.